I/O tab N/A on Debian/Ubuntu

[Vanav]

I/O tab shows N/A on fresh install of Ubuntu/Debian (any version, e.g. Ubuntu 22.04, Debian 11). I've connected all plugs. I see no errors in syslog from apparmor. There is no this issue on CentOS snap. Same issue has other users too (#18).

May be this is related, but I see this not every time:

kernel: [87874.809717] audit: type=1400 audit(1678972246.849:72): apparmor="DENIED" operation="capable" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=3095775 comm="snap-confine" capability=12 capname="net_admin"
kernel: [87874.811390] audit: type=1400 audit(1678972246.849:73): apparmor="DENIED" operation="capable" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=3095775 comm="snap-confine" capability=38 capname="perfmon"

Environment and debug:

# snap debug confinement 

strict

# snap debug sandbox-features

apparmor:             kernel:caps kernel:dbus kernel:domain kernel:file kernel:ipc kernel:mount kernel:namespaces kernel:network kernel:network_v8 kernel:policy kernel:ptrace kernel:query kernel:rlimit kernel:signal parser:cap-audit-read parser:cap-bpf parser:mqueue parser:qipcrtr-socket parser:unsafe parser:xdp policy:default support-level:full
confinement-options:  classic devmode strict
dbus:                 mediated-bus-access
kmod:                 mediated-modprobe
mount:                layouts mount-namespace per-snap-persistency per-snap-profiles per-snap-updates per-snap-user-profiles stale-base-invalidation
seccomp:              bpf-actlog bpf-argument-filtering kernel:allow kernel:errno kernel:kill_process kernel:kill_thread kernel:log kernel:trace kernel:trap kernel:user_notif
udev:                 tagging

# snap connections htop

Interface         Plug                   Slot               Notes
hardware-observe  htop:hardware-observe  :hardware-observe  -
mount-observe     htop:mount-observe     :mount-observe     manual
network           htop:network           :network           -
network-control   htop:network-control   :network-control   manual
process-control   htop:process-control   :process-control   -
system-observe    htop:system-observe    :system-observe    -

# snap list

Name     Version   Rev    Tracking       Publisher     Notes
certbot  2.4.0     2836   latest/stable  certbot-eff✓  classic
core20   20230207  1828   latest/stable  canonical✓    base
core22   20230210  522    latest/stable  canonical✓    base
htop     3.2.2     3654   latest/stable  maxiberta     -
snapd    2.58.2    18357  latest/stable  canonical✓    snapd

# SNAPD_DEBUG=1 SNAP_CONFINE_DEBUG=1 snap run htop

2023/03/16 16:06:27.914156 tool_linux.go:204: DEBUG: restarting into "/snap/snapd/current/usr/bin/snap"
2023/03/16 16:06:27.930338 logger.go:184: DEBUG: -- snap startup {"stage":"start", "time":"1678971987.930332"}
2023/03/16 16:06:27.938103 cmd_run.go:1037: DEBUG: executing snap-confine from /snap/snapd/18357/usr/lib/snapd/snap-confine
2023/03/16 16:06:27.939851 cmd_run.go:440: DEBUG: SELinux not enabled
2023/03/16 16:06:27.939922 tracking.go:46: DEBUG: creating transient scope snap.htop.htop
2023/03/16 16:06:27.939942 tracking.go:189: DEBUG: session bus is not available: cannot find session bus
2023/03/16 16:06:27.939950 tracking.go:191: DEBUG: falling back to system bus
2023/03/16 16:06:27.940724 tracking.go:196: DEBUG: using system bus now, session bus was not available
2023/03/16 16:06:27.942291 tracking.go:319: DEBUG: create transient scope job: /org/freedesktop/systemd1/job/1571
2023/03/16 16:06:27.959259 tracking.go:419: DEBUG: job result is "done"
2023/03/16 16:06:27.959310 tracking.go:426: DEBUG: transient scope snap.htop.htop.33fce624-45a0-494b-870a-0859a05e9c21.scope created
2023/03/16 16:06:27.959691 tracking.go:146: DEBUG: waited 18.893718ms for tracking
2023/03/16 16:06:27.959721 logger.go:184: DEBUG: -- snap startup {"stage":"snap to snap-confine", "time":"1678971987.959717"}
DEBUG: -- snap startup {"stage":"snap-confine enter", "time":"1678971987.962342"}
DEBUG: umask reset, old umask was  022
DEBUG: security tag: snap.htop.htop
DEBUG: executable:   /usr/lib/snapd/snap-exec
DEBUG: confinement:  non-classic
DEBUG: base snap:    core22
DEBUG: ruid: 0, euid: 0, suid: 0
DEBUG: rgid: 0, egid: 0, sgid: 0
DEBUG: apparmor label on snap-confine is: /snap/snapd/18357/usr/lib/snapd/snap-confine
DEBUG: apparmor mode is: enforce
DEBUG: -- snap startup {"stage":"snap-confine mount namespace start", "time":"1678971987.963121"}
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope (global), uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: ensuring that snap mount directory is shared
DEBUG: unsharing snap namespace directory
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: releasing lock 5
DEBUG: opened snap-update-ns executable as file descriptor 5
DEBUG: opened snap-discard-ns executable as file descriptor 6
DEBUG: creating lock directory /run/snapd/lock (if missing)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock directory /run/snapd/lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: opening lock file: /run/snapd/lock/htop.lock
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: set_effective_identity uid:0 (change: no), gid:0 (change: yes)
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: acquiring exclusive lock (scope htop, uid 0)
DEBUG: sanity timeout reset and disabled
DEBUG: initializing mount namespace: htop
DEBUG: setting up device cgroup
DEBUG: libudev has current tags support
DEBUG: device /sys/devices/virtual/misc/rfkill has matching current tag
DEBUG: get bpf object at path /sys/fs/bpf/snap/snap_htop_htop
DEBUG: found existing device map
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: get next key for map 8
DEBUG: found 18 existing entries in devices map
DEBUG: delete key for c 139:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 143:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:9
DEBUG: delete elem in map 8
DEBUG: delete key for c 138:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:3
DEBUG: delete elem in map 8
DEBUG: delete key for c 142:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 136:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 137:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 5:2
DEBUG: delete elem in map 8
DEBUG: delete key for c 10:242
DEBUG: delete elem in map 8
DEBUG: delete key for c 5:1
DEBUG: delete elem in map 8
DEBUG: delete key for c 141:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:5
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:8
DEBUG: delete elem in map 8
DEBUG: delete key for c 140:-1
DEBUG: delete elem in map 8
DEBUG: delete key for c 5:0
DEBUG: delete elem in map 8
DEBUG: delete key for c 10:200
DEBUG: delete elem in map 8
DEBUG: delete key for c 1:7
DEBUG: delete elem in map 8
DEBUG: load program of type 0xf, 33 instructions
DEBUG: v2 allow c 1:3
DEBUG: v2 allow c 1:5
DEBUG: v2 allow c 1:7
DEBUG: v2 allow c 1:8
DEBUG: v2 allow c 1:9
DEBUG: v2 allow c 5:0
DEBUG: v2 allow c 5:1
DEBUG: v2 allow c 5:2
DEBUG: v2 allow c 136:4294967295
DEBUG: v2 allow c 137:4294967295
DEBUG: v2 allow c 138:4294967295
DEBUG: v2 allow c 139:4294967295
DEBUG: v2 allow c 140:4294967295
DEBUG: v2 allow c 141:4294967295
DEBUG: v2 allow c 142:4294967295
DEBUG: v2 allow c 143:4294967295
DEBUG: v2 allow c 10:200
DEBUG: inspecting type of device: /dev/rfkill
DEBUG: v2 allow c 10:242
DEBUG: device /sys/devices/virtual/misc/tun has matching current tag
DEBUG: inspecting type of device: /dev/net/tun
DEBUG: v2 allow c 10:200
DEBUG: device /sys/module/rfkill has matching current tag
DEBUG: cannot get major/minor numbers for syspath /sys/module/rfkill
DEBUG: process in cgroup /system.slice/snap.htop.htop.33fce624-45a0-494b-870a-0859a05e9c21.scope
DEBUG: cgroup /sys/fs/cgroup//system.slice/snap.htop.htop.33fce624-45a0-494b-870a-0859a05e9c21.scope opened at 12
DEBUG: attach type 0x6 program 10 to cgroup 12
DEBUG: associated snap application process 348196 with device cgroup snap.htop.htop
DEBUG: forked support process 348212
DEBUG: changing apparmor hat to mount-namespace-capture-helper
DEBUG: helper process waiting for command
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: block device of snap core22, revision 547 is 7:5
DEBUG: sanity timeout initialized and set for 30 seconds
DEBUG: joining preserved mount namespace for inspection
DEBUG: found base snap device 7:5 on /
DEBUG: sanity timeout reset and disabled
DEBUG: preserved mount is not stale, reusing
DEBUG: joined preserved mount namespace htop
DEBUG: releasing lock 7
DEBUG: sending command 0 to helper process (pid: 348212)
DEBUG: sanity timeout reset and disabled
DEBUG: helper process received command 0
DEBUG: helper process exiting
DEBUG: waiting for response from helper
DEBUG: waiting for the helper process to exit
DEBUG: helper process exited normally
DEBUG: resetting PATH to values in sync with core snap
DEBUG: -- snap startup {"stage":"snap-confine mount namespace finish", "time":"1678971987.970799"}
DEBUG: set_effective_identity uid:0 (change: yes), gid:0 (change: yes)
DEBUG: creating user data directory: /root/snap/htop/3654
DEBUG: requesting changing of apparmor profile on next exec to snap.htop.htop
DEBUG: ruid: 0, euid: 0, suid: 0
DEBUG: loading bpf program for security tag snap.htop.htop
DEBUG: read 6608 bytes from /var/lib/snapd/seccomp/bpf//snap.htop.htop.bin
DEBUG: read 152 bytes from /var/lib/snapd/seccomp/bpf/global.bin
DEBUG: execv(/usr/lib/snapd/snap-exec, /usr/lib/snapd/snap-exec...)
DEBUG:  argv[1] = htop
DEBUG: umask restored to  022
DEBUG: working directory restored to /root
DEBUG: -- snap startup {"stage":"snap-confine to snap-exec", "time":"1678971987.972417"}
2023/03/16 16:06:27.975617 logger.go:184: DEBUG: -- snap startup {"stage":"snap-exec to app", "time":"1678971987.975612"}

[Vanav]

How to reproduce

1. Install Vagrant
2. Install VirtualBox
3. Run VM:

# mkdir vagrant-ubuntu
# cd vagrant-ubuntu
# vagrant init http://cloud-images.ubuntu.com/releases/jammy/release-20230302/ubuntu-22.04-server-cloudimg-amd64-vagrant.box
# vagrant up
# vagrant ssh

4. Inside VM:

$ sudo -i
# snap install htop
# snap connect htop:mount-observe
# snap connect htop:network-control
# snap run htop

5. Switch to I/O tab and notice N/A.
6. Logs:

# tail /var/log/syslog

Mar 16 22:29:05 ubuntu-jammy systemd[1]: Started snap.htop.htop.ec9fbaf0-7f5f-4881-8cf2-7c74db66ab22.scope.
Mar 16 22:29:05 ubuntu-jammy kernel: [  574.917570] audit: type=1400 audit(1679005745.991:70): apparmor="DENIED" operation="capable" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=2500 comm="snap-confine" capability=12  capname="net_admin"
Mar 16 22:29:05 ubuntu-jammy kernel: [  574.917573] audit: type=1400 audit(1679005745.991:71): apparmor="DENIED" operation="capable" profile="/snap/snapd/18357/usr/lib/snapd/snap-confine" pid=2500 comm="snap-confine" capability=38  capname="perfmon"
Mar 16 22:29:06 ubuntu-jammy kernel: [  574.926936] audit: type=1400 audit(1679005745.999:72): apparmor="DENIED" operation="capable" profile="snap.htop.htop" pid=2500 comm="bash" capability=2  capname="dac_read_search"
Mar 16 22:29:06 ubuntu-jammy kernel: [  574.926940] audit: type=1400 audit(1679005745.999:73): apparmor="DENIED" operation="capable" profile="snap.htop.htop" pid=2500 comm="bash" capability=1  capname="dac_override"
Mar 16 22:29:19 ubuntu-jammy systemd[1]: snap.htop.htop.ec9fbaf0-7f5f-4881-8cf2-7c74db66ab22.scope: Deactivated successfully.

7. Stop all:

# exit
$ exit
# vagrant halt

[cgzones]

Mar 16 22:29:06 ubuntu-jammy kernel: [ 574.926936] audit: type=1400 audit(1679005745.999:72): apparmor="DENIED" operation="capable" profile="snap.htop.htop" pid=2500 comm="bash" capability=2 capname="dac_read_search"

htop needs several capabilities for accessing process information, see https://github.com/htop-dev/htop/blob/e207c8aebdcdb88bc8ab838e2ac3dd1774d6a618/linux/Platform.c#L932-L940

[Vanav]

Yes. I've tried to add capability dac_read_search to htop apparmor, tried to disable htop apparmor, still no luck. Maybe need to add capacities to snap-confine, but I've found no clear way.

[kotenok2000]

You can disable apparmor completely. Create file /etc/default/grub.d/apparmor.cfg with following as its content

GRUB_CMDLINE_LINUX_DEFAULT=" $GRUB_CMDLINE_LINUX_DEFAULT apparmor=0 "

then run sudo update-grub